Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

European Multi-Stakeholder Group Releases Connected Vehicles Report

shutterstock_257751184Connected cars can generate large volumes of data, including data on engine performance, location, and driver behaviour. The European Commission has convened multi-stakeholder groups to figure out how to organize access to that data in a safe, competitively neutral, and privacy-friendly way. Two recent reports shed light on the principles under consideration for data sharing infrastructures in the EU. And legislative and regulatory developments in the EU will likely have a substantial impact on connected car deployments.

Continue Reading

Posted in International/EU Privacy

Russia Releases Data Localization Inspection Plan for 2016

shutterstock_366140141In mid-January, the territorial divisions of Russia’s Data Protection Authority, Roskomnadzor, uploaded their 2016 plans for conducting inspections of local companies’ compliance with Russia’s data localization requirements, and there are a number of prominent multi-national companies on the list.

Continue Reading

Posted in International/EU Privacy

International Data Transfers – The Uncertainty Continues

EU-flag-map-Following the announcement by the European Commission of the newly agreed EU-US Privacy Shield, the missing piece of the jigsaw was the Article 29 Working Party’s stance on the adequacy of the existing mechanisms in place—in particular, standard contractual clauses and binding corporate rules (BCR).  So after two days of intense discussions, the Working Party has issued a statement with its latest position, which is the follow up to their original reaction to the invalidation of Safe Harbor last October.  The bottom line: the Working Party still does not view US government surveillance laws as sufficiently protective of privacy—a position which calls all transfers of personal data to the US in question, regardless of the methods used to legitimise the transfer—but they will reconsider this position in light of the Privacy Shield in the coming months. Continue Reading

Posted in Employment Privacy

The European Court of Human Rights Decides that Accessing an Employee’s Work IM Account Did Not Breach His Privacy Rights

shutterstock_236973880To what extent are the personal communications sent by an employee from their employer’s computer private? In Europe it has been accepted for some years that employees do not lose their right to privacy in the workplace. However a recent decision from the European Court of Human Rights (ECHR) confirms the rights of the employer to restrict employees from any personal use of the employer’s computer equipment and, consequently, rely on a contravention of the restriction (which is revealed through monitoring) as grounds for dismissal.

Continue Reading

Posted in International/EU Privacy, News & Events

Breaking: EU-U.S. Privacy Shield to Replace Safe Harbor

Cross-Border TransferThe European Commission has announced an agreement today with the United States Department of Commerce (DOC) to replace the invalidated Safe Harbor agreement on transatlantic data flows with a new EU-U.S. “Privacy Shield.” The Privacy Shield aims to address the requirements set out by the European Court of Justice in its Oct. 6, 2015 ruling by imposing stronger obligations on companies, providing stronger monitoring and enforcement by the DOC and Federal Trade Commission (FTC), and making commitments regarding access to information on the part of public authorities. In announcing the agreement, Vice-President Ansip noted his belief that the Privacy Shield will benefit both European businesses and citizens, and will prove to be a “much better” solution for transatlantic data flows. Below are three highlights that have been publicly announced by the parties thus far: Continue Reading

Posted in Cybersecurity & Data Breaches, News & Events

Hogan Lovells Expands Cybersecurity Practice; Launches Cyber Risk Services

CybersecuriAnyone reading this blog already knows that cybersecurity is a team sport. No longer does the IT security department bear sole responsibility for protecting a company’s data and systems. Today companies are setting up enterprise-wide councils to oversee cybersecurity that include lawyers, risk managers, technical professionals, and other leaders. And if a breach occurs, that team gets even more diverse adding for example highly-specialized forensics professionals and public relations specialists to help manage remediation, investigations, and potentially notification efforts.

That’s why we have formed Hogan Lovells Cyber Risk Services, a dedicated team of cyber technical and risk management professionals. Working side by side with our lawyers, our expanded team enables us to provide more of what our Cybersecurity Solutions practice is already known for: a unique blend of technical knowledge, operational experience, and of course legal and regulatory skills that can help clients manage the increasing variety of cybersecurity issues and situations with which they need help.

More information is available below.

Continue Reading

Posted in International/EU Privacy

Safe Harbor Aftermath – Never a Reason to Panic

shutterstock_214199569It’s close to 7pm on a Friday evening and my team are trying their best to manage our clients’ stress and frantic desperation. Jokes about how much they love Max Schrems are shared by email. In the meantime, we are diligently working our way through endless charts of dataflows and attempting to cover every single one of them with intra-group agreements, model clauses and the like. It’s been like this since October and the pace is anything but slowing down. Sorting out international data transfers has always been a difficult compliance challenge for multinationals but the current levels of anxiety are simply unprecedented.

From what I have seen across organisations of all sizes and cultures, the general panic has been in crescendo since the Court of Justice of the European Union (CJEU) issued its ruling invalidating the Safe Harbor adequacy decision. No matter how many times – in public and in private – we have tried to convey the message that there was no reason to panic, fear and uncertainty have taken over the world of international transfers of personal data. It really shouldn’t have been this way but why have we suddenly seen this level of frantic activity to try and legitimise cross-border dataflows when the legal restrictions have been around for the best part of 20 years? Sure, the Safe Harbor decision was pretty dramatic, but only a limited proportion of transfers were covered by it anyway. Why do we appear to be facing some sort of data transfers Armageddon? Continue Reading

Posted in Cybersecurity & Data Breaches

FERC Adopts Revised Reliability Standards for Cybersecurity

shutterstock_123802696On January 21, 2016, the Federal Energy Regulatory Commission (FERC) issued a final rule adopting seven revised critical infrastructure protection (CIP) Reliability Standards addressing cybersecurity of the electric grid, as initially proposed in July 2015. The revised standards were developed by the North American Electric Reliability Corporation (NERC), the FERC-certified Electric Reliability Organization, in response to FERC Order No. 791. Continue Reading

Posted in International/EU Privacy

The GDPR: Things You Should Know


To say that the EU General Data Protection Regulation (GDPR) will change the existing data protection framework in Europe is an understatement.  After an intense legislative process of more than 4 years, an ambitious, complex and strict new law that is set to transform the way in which personal information is collected, shared and used globally.  Eduardo Ustaran highlights the GDPR’s significant changes in this article published in the Privacy and Data Protection Journal.

Posted in Health Privacy/HIPAA, International/EU Privacy

The Final GDPR Text and What It Will Mean for Health Data

shutterstock_286916690The EU General Data Protection Regulation (“GDPR”) has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.

Continue Reading